Role-Based Access Control for Cyber-Physical Systems Using Shibboleth

In this paper, we propose a role-based access control (RBAC) system for the distributed resources in a cyber-physical system. Current identity-based access control systems cause substantial administration overhead for the resource managers in the cyberphysical system because of the direct mapping between individual users and the access privileges on the resources. Our RBAC system uses Shibboleth, which is an attribute authorization service currently being used in Grids. The administration overhead is reduced in our system because the role privileges of individual users are managed by Shibboleth, not by the resource managers. For the uniform specification of access control policies across different security domains, we use the core and hierarchical RBAC profile of the eXtensible Access Control Markup Language (XACML); and for distributed administration of those policies, we used the Object, Metadata and Artifacts Registry (OMAR). OMAR is based on the e-business eXtensible Markup Language (ebXML) registry specifications developed to achieve interoperable registries and repositories. Our RBAC system provides scalable and fine-grain access control and allows privacy protection. Performance analysis shows that our system adds only a small overhead to the existing security infrastructures.